A.T.M. ‘Skimming’ Fraud Is Surging, but You Can Take Precautions

Skimming involves stealing debit card numbers by putting an illegal card reading device on an A.T.M. Criminals use the devices in tandem with hidden cameras that record personal identification numbers entered onto the keypad. They then make duplicate cards using the information and drain cash from bank accounts.

FICO Card Alert Service, which monitors activity at A.T.M.s for bank clients, is reporting a sixfold increase in the number of machines in the United States compromised by criminals in 2015, compared with 2014. The service is an arm of analytic software company FICO, best known for providing consumer credit scores.

The FICO service, which monitors hundreds of thousands of A.T.M.s, first reported an increase in the fraud about a year ago. The company said it was contractually barred from disclosing the actual number of incidents, but noted that the number for all of 2015 was the highest the service had ever recorded.

This month, a man was arrested in San Diego County, Calif., and charged with placing skimming devices on Wells Fargo A.T.M.s across the county. He was accused of using stolen data from nearly 4,900 cards to create counterfeit cards that were then used to steal nearly half a million dollars, much of which was sent overseas.

Hilary O’Byrne, a Wells Fargo spokeswoman, said in an email statement that the bank tests new security devices and technology to safeguard its A.T.M.s, but she declined to provide details because “we don’t want to compromise those efforts.” Wells Fargo conducts regular inspections of A.T.M.s and their keypads, she said, and takes reports of suspicious activity seriously.

While the episode shows that banks are not immune, nonbank A.T.M.s, meaning those in locations like convenience stores, are increasingly the targets, said T. J. Horan, vice president for fraud solutions at FICO. In 2015, he said, 60 percent of the compromises were at nonbank A.T.M.s, up from about 39 percent in 2014.

And while A.T.M. fraud was previously concentrated in big cities on the East and West Coasts, it is now spreading throughout the country, Mr. Horan said.

Although more banks are issuing credit and debit cards containing tiny computer chips that are more difficult to counterfeit, not all retailers accept them yet. So most cards still have magnetic strips attached to the back of the cards as well. This makes it possible to steal the information from the strips, and allows criminals to use the counterfeit cards created by skimming. “Cards with mag stripes are vulnerable to skimming, period,” Mr. Horan said. “It’s a bit of a transition period Catch-22.”

Mr. Horan said criminals were also using a “quick hit” approach, moving faster to make it harder for banks to react. The estimated loss per card is about $600.

Here are some questions and answers about A.T.M. safety.

■ How can I tell if an A.T.M. has a skimmer?

Kurt Baumgartner, principal security researcher with the cybersecurity company Kaspersky Lab, said customers should take note of anything that looks unusual about an A.T.M., particularly the slot where the card is inserted. If the fixture wiggles, or appears to be attached with glue, that’s an indication that a skimming device is attached.

Skimmers are also a big problem at gas station pumps, but it’s getting harder to detect skimmers at those locations because they are increasingly installed inside the pumps, Mr. Baumgartner said. So consumers, he said, should be vigilant in keeping track of their bank account to note any unfamiliar transactions.

In most cases, yes. Under the Electronic Fund Transfer Act, consumers generally aren’t liable for funds stolen from their bank account through fraud like skimming, as long as it’s reported within 60 days, said Paul Stephens, policy director of the Privacy Rights Clearinghouse, a consumer group. What’s more, many banks say they offer a blanket “zero liability” policy for such incidents. Ms. O’Byrne, the Wells Fargo spokeswoman, said, “Customers affected by any type of fraud are fully reimbursed.”

Still, Mr. Stephens said there was some possibility that you could be without cash for a few days in some situations, while the bank investigates. For that reason, he suggests that if you are a frequent debit card user, you may want to keep a separate savings account at a different financial institution, so you have backup funds available in case there’s a delay in restoring stolen cash.

■ How can I avoid having my card skimmed?

Michael Lee, chief executive of the ATM Industry Association, said consumers could reduce their risk when using A.T.M.s by covering the keypad with their free hand while they enter their PIN. This prevents “shoulder surfing” — in which someone behind you watches you enter your PIN — or having the number recorded by an illegal camera. “The PIN is the front door key, and if you protect the PIN fraud cannot be committed against that cardholder,” Mr. Lee said in an email.

Mr. Stephens also suggested avoiding A.T.M.s in nonbank locations because direct video surveillance may be less likely at those locations.

Yourmoneyadviser@nytimes.com

A version of this article appears in print on April 9, 2016, on Page B4 of the New York edition with the headline: An A.T.M. Scam Is Surging, but There Are Basic Precautions. Order Reprints|Today's Paper|Subscribe